top of page
Search

How to Secure Your Web Application? (Part 1) – Overview

  • Writer: Nadeeshani Nawarathne
    Nadeeshani Nawarathne
  • Nov 27, 2023
  • 4 min read

ree

Developing a web application -by no means- is an easy feat, but try developing a “secure” web application. Well, it takes more effort and some basic understanding of the concept of information security and web security. And that’s exactly what we’ll be doing in this article series; we will dive headfirst into the essentials of web security by developing a web application together. Sounds exciting? Then buckle up, and enjoy the ride. Maybe the roads won’t be as smooth, but with a mentor by your side, I promise you won’t get lost in this web of unknown roads.

“What’s with all this talk of roads and excessive use of motor vehicle jargon?” you might be thinking surely? I tried to incorporate a little pun here (Without really knowing it would backfire so horribly.) because we’re going to develop a web application for vehicle reservations. Putting the silly jokes and puns aside, I think it’s time to hit the roads.


The Overview of the Web application we’ll be developing


It’s a vehicle reservation application that we’ll be developing – which I named ClickForTrips.


The key features

  • Login using OIDC protocols through Okta

  • Logout mechanism to securely end user sessions.

  • Once the user is logged in, show the authenticated user details like username, name, email, contact number, and country.

  • Displaying a list of both past and future vehicle service reservations.

  • Allowing users to remove upcoming service reservations they’ve made.

  • Allowing users to edit upcoming service reservations they’ve made.

  • Allowing users to make new reservations by inserting details such as date, preferred time, location, vehicle registration number, current mileage, and a message.

  • Mitigating OWASP Top 10 vulnerabilities like SQL injection, XSS, CSRF, and authentication bypass.

  • Access control, ensuring users can only manage and view their own reservations.

  • MySQL Database Integration

Screenshots of Click For Trips




Technology stack used

  • Java – as the primary programming language for backend development

  • HTML and CSS – Utilized for generating dynamic web content and styling within Java-based views

  • Spring Boot – To facilitate rapid development

  • Spring Security – To incorporate web security

  • MySQL – to store and manage vehicle reservation records

  • Tomcat 9 – utilized to run and host the web application.

  • IntelliJ IDEA – as the IDE

Challenges I faced during the development and what I learned.


The development process of Click For Trips was no smooth journey. How many times I was on the verge of giving up, only I know. But looking back, every minute, every obstacle seems worth it, because I learnt a lot through this project. And I hope you will too. Though I came across the following challenges, that doesn’t mean you have to. That’s why I’m listing them out with the hopes that I’m helping you, well, at least a little.


- Choosing the IDP


Yes, authentication is the utmost part of securing your application. But surprisingly, the number of resources I could find regarding implementing one of them was devastatingly little! I switched back and forth between different IdPs only to land on Okta. And even after that, the supply of a comprehensive tutorial was meagre. Maybe, the mindset I had that someone should give me the full tutorial from starting to finish from scratch, as a whole package, so that I can sit back and repeat the coding I see on screen was to be blamed. Anyway, it didn’t work this time; I had to refer to at least 20 different documentation, videos and tutorials before implementing everything correctly. Was I frustrated? Maybe I was. But, I’m not regretting even a second of it, as I learnt so much.

That is the best thing I learned through this project – “You fall a million times, and you get back up only to feel an exhilaration filling you. Yes, I finally did it!” Welcome to the life of a developer!


- Balancing the security and User convenience was hard.


You know, the user doesn’t give much thought to the security., until something bad happens to their data; at first glance, they base their impression on the convenience of the application.

So, even though it was enticing to implement Multi-Factor Authentication, I abstained from it because no one wants to go through two or three measures of authentication just to book a vehicle. A robust, single authentication factor was enough, given the context.


- CSRF (Cross-Site Request Forgery) Token Configuration


Setting up and configuring CSRF tokens for preventing CSRF attacks posed a challenge. Overcoming this required a deep understanding of CSRF protection mechanisms and careful implementation to ensure security.

So, I’m telling you again, every second of this development journey was DEFINITELY WORTH IT.


What you can expect in this article series


During the follow-up articles, we can see how the different security aspects are incorporated into the application. Mainly we’ll go through,

  • Authentication protocols and handling user authentication along with best practices

  • Access control and Secure Authorization

  • A comprehensive overview of the OWASP Top 10 vulnerabilities and the mitigation of them


This is the starting point of the journey. So, if you like to see how we’ll bring this application to life – with much emphasis on security aspects – hope to see you in the next article of the series – “How to Secure Your Web Application?”.

If you want to take a look at the full project, it’s available here in this GitHub repository.


With much love,

ree




 
 
 

Comments

Join the mailing list

Thanks for subscribing!

© 2023 by Nadeeshani Nawarathne. Powered and secured by WIX

bottom of page